diff --git a/.github/workflows/release-sigstore-java-from-tag.yaml b/.github/workflows/release-sigstore-java-from-tag.yaml new file mode 100644 index 00000000..adc349f1 --- /dev/null +++ b/.github/workflows/release-sigstore-java-from-tag.yaml @@ -0,0 +1,112 @@ +name: Release sigstore-java to Maven Central +on: + workflow_dispatch: + # user is expected to use a tag as the branch to run the action on + +jobs: + process-tag: + runs-on: ubuntu-latest + outputs: + version: ${{ steps.version.outputs.version }} + steps: + - name: checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: process tag + id: version + run: | + TAG=${{ github.ref_name }} + echo "version=${TAG#"v"}" >> $GITHUB_OUTPUT + - name: verify tag matches gradle version + run: | + set -Eeo pipefail + version=$(grep "^version=" gradle.properties | cut -d'=' -f2) + if [[ ! "$version" == "${{ steps.version.outputs.version }}" ]]; then + echo "tagged version ${{ github.ref }} (as ${{ steps.version.outputs.version }}) does not match gradle.properties $version" + exit 1 + fi + + ci: + needs: [process-tag] + permissions: + id-token: write # To run github oidc tests + uses: ./.github/workflows/ci.yaml + + build: + permissions: + id-token: write # To sign the artifacts + runs-on: ubuntu-latest + needs: [ci, process-tag] + outputs: + hashes: ${{ steps.hash.outputs.hashes }} + steps: + - name: checkout tag + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Set up JDK 11 + uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0 + with: + java-version: 11 + distribution: 'temurin' + + - name: Build, Sign and Release to Maven Central + run: | + ./gradlew clean :sigstore-java:publishMavenJavaPublicationToSonatypeRepository -Prelease + env: + ORG_GRADLE_PROJECT_signingKey: ${{ secrets.PGP_PRIVATE_KEY }} + ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.PGP_PASSPHRASE }} + ORG_GRADLE_PROJECT_sonatypeUsername: ${{ secrets.SONATYPE_USERNAME }} + ORG_GRADLE_PROJECT_sonatypePassword: ${{ secrets.SONATYPE_PASSWORD }} + + - name: SLSA -- Hash Artifacts + id: hash + run: | + mkdir slsa-files + cp sigstore-java/build/libs/*.jar slsa-files + cp sigstore-java/build/publications/mavenJava/pom-default.xml slsa-files/sigstore-java-${{ needs.process-tag.outputs.version }}.pom + cp sigstore-java/build/publications/mavenJava/module.json slsa-files/sigstore-java-${{ needs.process-tag.outputs.version }}.module + cd slsa-files + echo "hashes=$(sha256sum ./* | base64 -w0)" >> $GITHUB_OUTPUT + + - name: Upload build artifacts + uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0 + with: + name: project-release-artifacts + path: ./slsa-files + if-no-files-found: error + + provenance: + needs: [build, process-tag] + permissions: + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + contents: write # To add assets to a release. + # use tags here: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators + # remember to update "Download Attestations" when SLSA updates to actions/download-artifact@v4 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 + with: + provenance-name: "sigstore-java-${{ needs.process-tag.outputs.version }}.attestation.intoto.jsonl" + base64-subjects: "${{ needs.build.outputs.hashes }}" + + create-release-on-github: + runs-on: ubuntu-latest + needs: [provenance, build, process-tag] + permissions: + contents: write + steps: + - name: Download attestation + # keep at v3.x since slsa generator uses 3.x (update this when slsa-framework updates) + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: "${{ needs.provenance.outputs.attestation-name }}" + path: ./release/ + - name: Download gradle release artifacts + uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 + with: + name: project-release-artifacts + path: ./release/ + - name: Create release + uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # tag=v0.1.15 + with: + tag_name: v${{ needs.process-tag.outputs.version }} + body: "See [CHANGELOG.md](https://github.com/${{ vars.GITHUB_REPOSITORY }}/blob/main/CHANGELOG.md) for more details." + files: ./release/* diff --git a/.github/workflows/tag-and-build-release.yaml b/.github/workflows/tag-and-build-release.yaml deleted file mode 100644 index cb99afe6..00000000 --- a/.github/workflows/tag-and-build-release.yaml +++ /dev/null @@ -1,110 +0,0 @@ -name: Tag and Build Release -on: - workflow_dispatch: - inputs: - release_version: - description: new release version - required: true - default: (for example, 0.1.0) - -jobs: - checks: - runs-on: ubuntu-latest - steps: - - name: Check inputs - run: | - if [[ ! "${{ github.event.inputs.release_version }}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then - echo 'version "${{ github.event.inputs.release_version }}" not in ###.###.### format' - exit 1 - fi - ci: - permissions: - id-token: write # To run github oidc tests - uses: ./.github/workflows/ci.yaml - - create-tag: - needs: [checks, ci] - runs-on: ubuntu-latest - permissions: - contents: write - steps: - - name: tag - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - with: - script: | - github.rest.git.createRef({ - owner: context.repo.owner, - repo: context.repo.repo, - ref: "refs/tags/v${{ github.event.inputs.release_version }}", - sha: context.sha - }) - - build: - runs-on: ubuntu-latest - needs: [create-tag] - outputs: - hashes: ${{ steps.hash.outputs.hashes }} - steps: - - name: checkout tag - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: "refs/tags/v${{ github.event.inputs.release_version }}" - - - name: Set up JDK 11 - uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0 - with: - java-version: 11 - distribution: 'temurin' - - - name: Build project - run: | - ./gradlew clean :sigstore-java:createReleaseBundle -Pversion=${{ github.event.inputs.release_version }} -Prelease -PskipSign - - - name: Hash Artifacts - id: hash - run: | - cd sigstore-java/build/release - echo "hashes=$(sha256sum ./* | base64 -w0)" >> $GITHUB_OUTPUT - sha256sum ./* - - - name: Upload build artifacts - uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0 - with: - name: project-release-artifacts - path: ./sigstore-java/build/release/ - if-no-files-found: error - - provenance: - needs: [build] - permissions: - actions: read # To read the workflow path. - id-token: write # To sign the provenance. - contents: write # To add assets to a release. - # use tags here: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 - with: - attestation-name: "sigstore-java-${{ github.event.inputs.release_version }}.attestation.intoto.jsonl" - base64-subjects: "${{ needs.build.outputs.hashes }}" - - create-release: - runs-on: ubuntu-latest - needs: [provenance, build] - permissions: - contents: write - steps: - - name: Download attestation - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 - with: - name: "${{ needs.provenance.outputs.attestation-name }}" - path: ./release/ - - name: Download gradle release artifacts - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 - with: - name: project-release-artifacts - path: ./release/ - - name: Create draft release - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # tag=v0.1.15 - with: - tag_name: v${{ github.event.inputs.release_version }} - body: "See [CHANGELOG.md](https://github.com/${{ vars.GITHUB_REPOSITORY }}/blob/main/CHANGELOG.md) for more details." - files: ./release/* diff --git a/build-logic/publishing/src/main/kotlin/build-logic.publish-to-central.gradle.kts b/build-logic/publishing/src/main/kotlin/build-logic.publish-to-central.gradle.kts index fa50205c..9189bfeb 100644 --- a/build-logic/publishing/src/main/kotlin/build-logic.publish-to-central.gradle.kts +++ b/build-logic/publishing/src/main/kotlin/build-logic.publish-to-central.gradle.kts @@ -1,5 +1,3 @@ -import org.gradle.api.publish.internal.PublicationInternal - plugins { id("java-library") id("maven-publish") @@ -61,27 +59,11 @@ publishing { } } } -} - -val createReleaseBundle by tasks.registering(Sync::class) { - description = "This task should be used by github actions to create release artifacts along with a slsa attestation" - val releaseDir = layout.buildDirectory.dir("release") - outputs.dir(releaseDir) - - into(releaseDir) - rename("pom-default.xml", "${project.name}-${project.version}.pom") - rename("module.json", "${project.name}-${project.version}.module") -} - -publishing { - publications.configureEach { - (this as PublicationInternal<*>).allPublishableArtifacts { - val publicationArtifact = this - createReleaseBundle.configure { - dependsOn(publicationArtifact) - from(publicationArtifact.file) - } + repositories { + maven { + name = "sonatype" + url = uri("https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/") + credentials(PasswordCredentials::class) } } } -